CVE-2026-11397
Received Received - Intake

Server-Side Request Forgery in WP Import Export Lite WordPress Plugin

Vulnerability report for CVE-2026-11397, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: Wordfence

Description

The WP Import Export Lite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to and including 3.9.30 via the wpie_import_upload_file_from_url AJAX action. The plugin's URL downloader first calls wp_safe_remote_get() (which correctly blocks private/reserved IP ranges), but when that call returns a WP_Error β€” the exact outcome for any blocked internal host β€” the Download::download_file() method falls back to GuzzleHttp\Client::request() with the original attacker-supplied URL and no SSRF protection (and with TLS verification disabled). This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services such as the cloud metadata endpoint at 169.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_import_export_lite wp_import_export_lite to 3.9.30 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WP Import Export Lite plugin for WordPress has a Server-Side Request Forgery (SSRF) vulnerability in all versions up to and including 3.9.30. This occurs via the wpie_import_upload_file_from_url AJAX action. When the plugin tries to download a URL, it first uses a safe method that blocks private or reserved IP addresses. However, if this safe method fails and returns an error, the plugin falls back to another method that does not have SSRF protections and disables TLS verification. This fallback allows authenticated users with administrator-level access or higher to make arbitrary web requests from the web application to internal or external locations.

This means attackers can potentially query or modify information from internal services, such as the cloud metadata endpoint at IP address 169.

Impact Analysis

This vulnerability allows authenticated administrators or higher to make unauthorized web requests from the server hosting the WordPress site to arbitrary locations. This can lead to exposure or modification of sensitive internal information.

  • Attackers can access internal services that are normally protected from external access.
  • Sensitive data such as cloud metadata can be queried or altered.
  • It may enable further attacks by leveraging internal network resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11397. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart